← Back to Skills Marketplace
qianjunye

us3-skill

by qianjunye · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
365
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install us3
Description
Upload files to UCloud US3 object storage and generate public URLs
Usage Guidance
This skill's code matches its purpose (upload local files to UCloud US3) but contains several red flags you should consider before installing: - Runtime/dependency gaps: Examples call `node` and the code requires npm packages (ufile, mime) but the skill declares no required binaries and has no install step. Ensure Node and the listed npm deps are installed in the agent environment before use. - Unused/extra env var: SKILL.md and metadata request US3_ENDPOINT but the script does not use it — verify whether your environment needs that variable or if the skill is out of sync with its docs. - Sensitive credentials: The skill needs your US3_PRIVATE_KEY and US3_PUBLIC_KEY. These grant upload access to the bucket; only provide keys you trust, consider using least-privilege credentials, and rotate/revoke keys if you stop using the skill. - Exfiltration risk: The tool will read arbitrary local files you point it at and upload them to a public bucket. Don't run it with paths to secrets or sensitive files unless you intend those files to become publicly accessible. - Operational suggestions: Confirm the bucket domain format is correct for your region, run the script in a sandbox or test account first, install dependencies from trusted sources (npm registry), and consider updating the skill to declare Node as a required binary or to include a safe install step. If you want to proceed, verify/prepare the runtime (Node + npm deps), supply credentials scoped appropriately, and test uploads with non-sensitive files first.
Capability Analysis
Type: OpenClaw Skill Name: us3 Version: 1.0.0 The OpenClaw AgentSkills skill bundle for UCloud US3 storage appears benign. The `SKILL.md` clearly outlines its purpose to upload files and generate public URLs, requiring UCloud API keys via environment variables, which is standard practice. The `upload.mjs` script correctly parses command-line arguments using `node:util.parseArgs`, preventing direct shell injection into the Node.js script. While the `--key` parameter example in `SKILL.md` shows shell command substitution (`$(date ...)`) for dynamic naming, this is executed by the invoking shell (the AI agent) before the argument reaches the Node.js script, which then treats the result as a literal string for the object key. The script uses standard Node.js modules and the legitimate `ufile` SDK for UCloud interaction. There is no evidence of data exfiltration to unauthorized endpoints, persistence mechanisms, obfuscation, or other malicious behaviors. The ability to read local files is inherent to an upload skill, and there's no indication of intent to access sensitive files beyond what's explicitly provided as input.
Capability Assessment
Purpose & Capability
Name/description match the code: upload local files to UCloud US3 and produce public URLs. The code requires US3_PUBLIC_KEY, US3_PRIVATE_KEY, and US3_BUCKET which are appropriate. However, the registered metadata and SKILL.md also list US3_ENDPOINT although the runtime code does not use it, and the registry claims no required binaries despite examples invoking `node` — a missing runtime declaration is inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs running the bundled node script on arbitrary local files (including /tmp and other paths). That is consistent with an upload tool, but it means the skill can read and transmit any local file the agent is told to upload (exfiltration risk if misused). The instructions reference US3_ENDPOINT and absolute skill paths (/root/clawdbot/skills/us3/upload.mjs), which may not match every runtime environment. The runtime script itself does not access files or variables beyond what it should for uploads.
Install Mechanism
This is marked as instruction-only with no install spec, but the package.json/package-lock and upload.mjs require Node and npm packages (ufile, mime, etc.). The registry declares no required binaries. There is therefore no declared mechanism to ensure dependencies exist (or to install them), which is an operational/coherence problem and increases the chance the skill will fail or be run in an unexpected environment.
Credentials
The skill requests US3_PUBLIC_KEY (primary), US3_PRIVATE_KEY, US3_BUCKET and US3_ENDPOINT. The code uses the first three but does not read US3_ENDPOINT, so that variable is unnecessary according to the provided source — a mismatch. The private key is required for signing uploads which is expected, but users should recognize this gives full upload access to the configured public bucket (and could be used to exfiltrate files if misused).
Persistence & Privilege
No elevated persistence requested (always: false). The skill does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install us3
  3. After installation, invoke the skill by name or use /us3
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of US3 skill for uploading and sharing files via UCloud US3 object storage. - Upload local files to UCloud US3 and receive public URLs. - Supports custom object keys and optional URL-only output. - Accepts popular file types including images, videos, documents, audio, and archives. - Returns JSON upload results or direct URLs for easy integration. - Designed for common workflows like Feishu image uploads and batch file processes. - Includes comprehensive usage instructions and error handling guidance.
Metadata
Slug us3
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is us3-skill?

Upload files to UCloud US3 object storage and generate public URLs. It is an AI Agent Skill for Claude Code / OpenClaw, with 365 downloads so far.

How do I install us3-skill?

Run "/install us3" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is us3-skill free?

Yes, us3-skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does us3-skill support?

us3-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created us3-skill?

It is built and maintained by qianjunye (@qianjunye); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments